Networking Flashcards

Question 1

Q

Security groups are attached to?

Answer

A

Elastic Network Interfaces (ENI) - and not instances

Question 2

Q

How do you explicitly block traffic within a VPC?

Answer

A

With NACLs. Security Groups do NOT support this.

Question 3

Q

Which protocol and port operates BGP on?

Question 4

Q

What is number range for ASN within BGP?

Question 5

Q

Which ASN numbers within BGP are private?

Answer

A

64512-65534

Question 6

Q

What’s iBGP?

Answer

A

Internal BGP - Routing within an Autonomous System (AS)

Question 7

Q

What’s eBGP?

Answer

A

External BGP - Routing between Autonomous Systems (AS)

Question 8

Q

What are the “anycast IP addresses” of AWS Global Accelerator?

Answer

A

Two static IP addresses that serve as fixed entry point to an application hosted in one or more AWS region.

Question 9

Q

What’s the max. bandwidth of a single VPN connection (with two tunnels)?

Answer

A

1.25 Gbps

Question 10

Q

What’s the max. bandwidth of a Virtual Private Gateway?

Answer

A

For VPN connections: 1.25 Gbps

For DX connections: same as the DX connection

Question 11

Q

What are valid attachments for AWS Transit Gateway (TGW)?

Answer

A

One, or more, of the following:

VPC
VPN
Direct Connect Gateway
Transit Gateway Peering
Transit Gateway Connect

Question 12

Q

Do AWS Transit Gateway (TGW) support transitive routing?

Answer

A

Yes, if route tables are set up correctly

Question 13

Q

What are key features of AWS Transit Gateway (TGW)?

Answer

A

Transitive routing, cross region (via peering) and cross account support.

IMPORTANT: they are regional components, so have to be placed in a specific region and be peered to provide cross-region support. This also means that they fail if a complete region fails.

Question 14

Q

Up to how many route tables can a subnet have assigned?

Answer

A

1 (and always 1 as a subnet must always have a route table assigned)

Question 15

Q

What network elements can route tables be assigned to?

Answer

A

VPCs
Subnets
Gateways (IGW, VGW, TGW, Outposts local gateway)

Question 16

Q

What are the default limits of a route table?

Answer

A

50 static and 100 dynamic routes

Question 17

Q

What’s route propagation in the context of AWS VPC’s Route Tables, and what is the maximum number of connections in this context?

Answer

A

An option of route tables that allows Virtual Private Gateways (VGW) to dynamically add routes that the VGW learns from an attached VPN connection to it’s associated route table. The maximum number of dynamic routes that can be added via this way is 100 (per route table).

Question 18

Q

What are the criteria that a route table decides on where to route traffic to (starting with most relevant criteria)?

Answer

A

Prefix length
Static Routes
Dynamic Routes (and inside Dynamic Routes: DX > VPN Static > VPN BGP > AS_PATH)

Question 19

Q

What’s a Gateway route table?

Answer

A

A special type of route table that can be assigned to Internet Gateways (IGW), Virtual Private Gateways (VGW) and Transit Gateways (TGW).

Question 20

Q

With which network component can you use Accelerated Site-To-Site VPN with?

Answer

A

Only with AWS Transit Gateways (TGW), so when creating a TGW VPN attachment.

Question 21

Q

What costs are associated with using an Accelerated Site-To-Site VPN?

Answer

A

What are costs for AWS Site-to-Site VPN connections based on?

hours the VPN connection is provisioned ($/h)
egress fee ($/GB)
hourly fee for the two Global Accelerators
accelerator transfer fee for the dominant direction

Question 22

Q

What are the two possible attachments for a Site-To-Site VPN?

Answer

A

Transit Gateway (TGW)

- Virtual Private Gateway (VGW)

Question 23

Q

What are the bandwidths available for Direct Connect (DX) when provided natively by AWS (so called “Dedicated Connection”)?

Answer

A

1, 10 and 100 Gbps (the latter only at selected locations)

Question 24

Q

What’s a hosted virtual interface (VIF)?

Answer

A

It’s a virtual interface type that can be used to share a AWS Direct Connect connection with another AWS account.

Question 25

Q

What’s the maximum number of VIFs per AWS Direct Connect (DX) connection?

Answer

A

50 private/public VIFs + 1 transit VIF

Question 26

Q

What’s a Hosted Connection in the context of AWS Direct Connect (DX)?

Answer

A

It’s a DX connection provided by a AWS Partner that provides exactly one hosted VIF that a customer can acquire. Bandwidth of that VIF is exclusive to the customer.

Question 27

Q

What are the bandwidths available for AWS Direct Connect (DX) when provided by an AWS Partner?

Answer

A

50Mbps - 10Gbps

Question 28

Q

What’s important to know about Hosted VIFs when provided by an AWS Partner?

Answer

A

Unlike Hosted Connections, Hosted VIFs provided by an AWS Partner share the bandwidth with other Hosted VIFs on that same connection. Therefore, bandwidth could be lower than what’s been ordered/promised.

Question 29

Q

Are AWS Direct Connect (DX) connections sending data in plain text or encrypted?

Answer

A

In plain text, unless additional technologies such as VPN are applied.

Question 30

Q

What’s a Cross-Connect in the context of AWS Direct Connect (DX)?

Answer

A

The physical link between AWS DX router and Customer/Provider DX router inside a DX location. Note: this is NOT the physical connection between DX location and on-premise location.

Question 31

Q

Can Link Aggregation Groups (LAGs) use connections of different speeds?

Answer

A

No. All connections must have the same speed.

Question 32

Q

What’s the primary purpose of Link Aggregation Groups (LAGs)?

Answer

A

Speed. And NOT resilience (even though that they do improve certain resilience aspects of the architecture).

Question 33

Q

What’s the ‘minimumLink’ attribute used for within the context of Link Aggregation Groups (LAGs)?

Answer

A

It defines the minimum of healthy connections, at which the LAG is still considered healthy. For instance, with a LAG of 4 DX connections and a minimumLink of, the LAG is still healthy with only 2 DX connections.

Question 34

Q

What’s the maximum number of Virtual Private Gateways (VGW) per DX Gateway and can it be increased?

Answer

A

10
Cannot be increased

https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

Question 35

Q

Do Virtual Private Gateways (VGWs) support inter-VPC-routing?

Question 36

Q

What’s the maximum number of DX Gateways supported per DX Connection?

Question 37

Q

What are valid targets for an Application Load Balancer?

Answer

A

Target groups operating on HTTP/HTTPS level, using the following target types:

EC2 instances (incl. ECS-provided instances)
IP addresses
Lambda functions

Question 38

Q

Can an internet-facing ELB communicate with EC2 instances from private or public subnets, or both?

Answer

A

Both (so also instances in private subnets are accessible for the ELB)

Question 39

Q

What’s an Interface Endpoint attached to?

Answer

A

A specific subnet, as an ENI (so they are not highly available by default!)

Question 40

Q

What’s a Gateway Endpoint attached to?

Question 41

Q

What protocols do Interface Endpoints support?

Answer

A

IPv4 traffic over TCP only

Question 42

Q

How can you restrict access to an Interface Endpoint?

Answer

A

Via Endpoint Policy and via Security Groups (as it’s an ENI)

Question 43

Q

What’s the maximum single-flow network performance EC2 instances can communicate with each other in a Cluster Placement Group?

Answer

A

10 Gbps (vs. the 5 Gbps you’d have normally)

Question 44

Q

What are limitations (i.e. things to look out for) when creating Cluster Placement Groups?

Answer

A

All EC2 instances must reside in the same AZ
Requires a supported instance type
All instances should be of the same type and started at the same time

Question 45

Q

What’s the maximum number of instances in a single AZ when using Spread Placement Groups?

Question 46

Q

What tenant options can you use for Spread Placement Groups?

Answer

A

Shared only. “Dedicated Instance” or “Dedicated Host” are not supported with Spread Placement Groups.

Question 47

Q

What’s the maximum number of partitions in a single AZ when using Partition Placement Groups?

Question 48

Q

What’s the maximum number of instances in a single AZ when using Partition Placement Groups?

Answer

A

There is no explicit limit. Instead the same limit applies as when not using any Placement Group at all (so just limited by the max. number of currently free instances in that AZ),

Question 49

Q

For which type of workloads are Partition Placement Groups ideal?

Answer

A

Large, distributed and replicated workloads, such as Apache’s HDFS (file system), HBase, and Cassandra (both NoSQL DBs). Ideally, topology-aware workloads/applications.

Question 50

Q

What’s the largest CIDR range allowed in a VPC?

Question 51

Q

Are NAT Gateways deployed into a VPC, or into the subnet of a VPC? Are they highly available?

Answer

A

Into PUBLIC subnet(s), so they are not resilient to AZ-failures. They are however highly-available inside an AZ, which makes them more reliable than NAT Instances.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

Question 52

Q

802.1Q is a networking standard used for what?

Answer

A

Virtual LANs (VLANs) - used often in company networks, but also in AWS, to isolate networks

Question 53

Q

802.1AD is a networking standard used for what?

Answer

A

Nested QinQ VLANs - used often by service providers, extending the VLAN standard (802.1Q)

Question 54

Q

For an Ethernet frame, what’s the payload size in bytes from which on a frame is considered a “jumbo” frame, and what’s the max. size of a jumbo frame’s payload?

Answer

A

> 1500 bytes

Max.: 9000 bytes

Question 55

Q

Which of the following does/does not support jumbo frames?

1) Traffic outside of a single VPC
2) Traffic over an inter-region VPC peering connection
3) .. same region peering
4) Traffic over VPN connections
5) Traffic over an internet gateway
6) Direct Connect
7) Transit Gateway

Answer

A

1) no
2) no
3) yes
4) no
5) no
6) yes
7) yes, up to 8500 bytes

Question 56

Q

What’s IKE Phase 1 used for in the context of IPSec VPN?

Answer

A

Initial phase of an IPSec VPN connection where symmetric keys are exchanged via an asymmetric encryption - results in a “phase 1 tunnel” that stays open

Question 57

Q

What’s IKE Phase 2 used for in the context of IPSec VPN?

Answer

A

Second phase of an IPSec VPN connection where parties agree on an encryption method and a new set of keys that’s used for the bulk data transfer - results in a “phase 2” tunnel that is used for the actual data transfer - phase 2 tunnel is torn down again when no more “interesting traffic” occurs

Question 58

Q

When having a Client VPN set up, what do you need to do to avoid that traffic between local clients, and from local clients to the internet, aren’t routed via the Client VPN Endpoint?

Answer

A

You must enable a “Split Tunnel” on the Client VPN endpoint, so that the Client VPN routes are merely added to the existing ones, rather than replacing them.

Question 59

Q

What’s the difference between Private and Public VIFs?

Answer

A

Private VIFs connect to private AWS resources such as a Virtual Private Gateway. Public VIFs connect to public AWS resources such as S3 or SQS, or resources with a public IP addressing.

Question 60

Q

What’s the physical medium that Direct Connect runs over?

Answer

A

Fiber (no copper!)

Question 61

Q

What’s the Ethernet standard required for a transceiver to support a 1 Gbp/s Direct Connect connection?

Answer

A

1000BASE-LX

Question 62

Q

What’s the Ethernet standard required for a transceiver to support a 10 Gbp/s Direct Connect connection?

Answer

A

10GBASE-LR

Question 63

Q

What’s the Ethernet standard required for a transceiver to support a 100 Gbp/s Direct Connect connection?

Answer

A

100GBASE-LR4

Question 64

Q

What do you need to configure regarding the following attributes on Direct Connect ports to ensure proper function?

Auto-Negotiation
Port speed
Full-Duplex

Answer

A

Auto-Negotiation: disabled
Port speed: manually set
Full-Duplex: manually set

Answer 57

A

It’s an ethernet standard that enables encryption of frames between two switches/routers, specifically with AWS Direct Connect, encryption between on-prem router and DX Location AWS cage router.

The two problems/benefits it has are:

Layer 2/3 Confidentiality and integrity: secures Ethernet link, incl. Layer 2 packages such as ARP & DHCP, and Layer 3 routing protocols like BGP
High speed encryption: enables encryption with 10/100 Gbps DX, which would otherwise be difficult to achieve (would require multiple VPN tunnels).

Answer 58

A

It’s a document used to authorize a cross-connect connection between an AWS-cage and the customer or com-provider cage at a Direct Connect location.

Answer 59

A

Virtual Interface

Allows running multiple layer 3 sessions over the same layer 2 connection. Consists of a BGP Peering session + VLAN.

Answer 60

A

Allow integration between Transit Gateways and Direct Connect.

Answer 61

A

Two network devices that can directly communicate with each other on layer 2, i.e. exchanging frames.

Answer 62

A

Used to exchange network information between two BGP systems.

Answer 63

A

Maximum transmission unit = size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction.

Relates to, but is not identical to maximum frame size of an Ethernet frame. As with Ethernet frame sizes, an MTU larger than 1500 is typically referred to as “Jumbo Frames”.

Answer 64

A

Virtual Private Gateway (VGW)
Direct Connect Gateway

NOT: Transit Gateways (that’s what “transit VIFs” are for)

Answer 65

A

100 (hard limit)

Note: if advertising more, the interface will move into an Idle state and won’t be functional.

Answer 66

A

Private VIFs can only connect to VPGs in the same region as the DX location

Answer 67

A

Public VIF (as the VGW IPs that the connection is established with on the AWS side are public)

Answer 68

A

1 Private VIF = 1 DX Gateway & 10 VGW per DX Gateway

1 DX can have 50 private VIFs == 50 DX Gateways == 500 VPCs

Answer 69

A

No, not by default. This requires either additional networking components such as Transit Gateway, or routing via the Customer Gateway Router (which is not ideal due to performance and resilience reasons).

Answer 70

A

3 (1 transit VIF per DX connection and 3 TGW per transit VIF)

Answer 71

A

No. Public VIFs cannot be used with Direct Connect Gateways anyway. And you cannot use a Direct Connect Gateway with private and transit VIFs at the same time.

Answer 72

A

2 x 100 Gbps
- or -
4 x < 100 Gbps (10 Gbps, 1 Gbps, etc.)

==> Max: 200 Gbps

Answer 73

A

Yes, but very limited, so it should not considered for improving resilience. They key advantage is improved performance (with the caveat of admin overhead though).

Answer 74

A

It’s a mechanism of the Classic Load Balancer that allows in-flight requests to complete even if the target instance is unhealthy or in the process of being deregistered.

The equivalent mechanism for ALB, NLB and GWLB is called “Deregistration Delay”, that is configured on the Target Group level though, not on the LB itself.

Answer 75

A

Allows Application Load Balancers (ALBs), Network Load Balancers (NLBs) and Gateway Load Balancers (GWLBs) to complete in-flight requests even if the target instance is unhealthy or in the process of being deregistered.

The equivalent mechanism for ALB, NLB and GWLB is called “Connection Draining”, that is configured directly on the Load Balancer though, and not via the Target Group.

Answer 76

A

It’s an HTTP header, used by Classic Load Balancers and Application Load Balancers to ensure that the target is able to identify where a request originated from.

Answer 77

A

PROXY Protocol, which is a layer 4 header, supported by Classic Load Balancer and Network Load Balancer. If an unbroken HTTP/HTTPS connection is required, PROXY Protocol has to be used instead of X-Forwarded-For. That’s because adding the X-Forwarded-For header is layer 7 and is possible only by unencrypting the packages, adding the header, and re-encrypting it.

Answer 78

A

It’s a network encapsulation protocol used by AWS Gateway Load Balancers.

Answer 79

A

Only package metadata

Answer 80

A

VPC, Subnet, Interface (ENI)

Answer 81

A

No, as data is not collected and served in real-time.

Answer 82

A

Example: 2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

Source Address: 172.31.16.139
Destination Address: 172.31.16.21
Source Port: 20641
Destination Port: 22
Protocol: 6 (=> TCP)

Answer 83

A

instance metadata service (169.254.169.254)
DHCP
Amazon DNS server
Amazon Windows license server

Answer 84

A

Route 53

- CloudFront

Answer 85

A

EC2
Elastic Load Balancing (ELB)
Global Accelerator

This is in addition to the following services, which are already covered by AWS Shield Standard:

CloudFront
Route 53

Answer 86

A

Layer 3 and 4 DDoS protection for additional services
Layer 7 protections (HTTP and DNS floods)
DDoS Response Team
Financial Insurance (if resources scale up due to Shield response)

Answer 87

A

Application Load Balancer
API Gateway
CloudFront
AppSync

Answer 88

A

SQL Injections, Cross-Site Scripting

Answer 89

A

Target groups operating on TCP/TLS/UDP level, using the following target types:

EC2 instances
IP addresses
Application Load Balancer

Answer 90

A

An attachment for Transit Gateway that establishes a connection from the TGW to a third-party virtual appliance (such as SD-WAN appliances).

Answer 91

A

A feature that’s available for selected EC2 instance types, delivering dedicated throughput between EC2 and EBS with options between 500 and 4,000 Mbps.

Answer 92

A

Elastic Network Adapter (ENA) - up to 100 Gbps

- Intel 82599 Virtual Function (VF) interface - up to 10 Gbps

Answer 93

A

Before DX Gateways, DX connections could only established if the DX location and the target Virtual Private Gateway (VPG), along with the attached VPC, were in the same region. DX Gateway instead is a global service and can serve as a hub between DX location and VPGs, so that one DX connection can connect to VPCs in any region.

Answer 94

A

Launch instances in Cluster Placement groups
Use bigger instance types
Enable Enhanced Networking
Enable jumbo frames

Attaching multiple ENIs can also improve network performance, but depending on the instance type, may not bring anything at all. This is why the options above should be preferred.

Answer 95

A

Both

VPCs come with a default NACL, which is also the NACL that a subnet inside that VPC uses, if no other NACL is assigned to the subnet.

Answer 96

A

254.169.253

172. 31.0.2 (VPC base address +2)

Answer 97

A

172.31.0.2 (VPC base address +2)

Note: alternatively, 169.254.169.253 works as well, but here it’s the VPC-based Amazon DNS server IPv4 address that we’re looking for.

Answer 98

A

Two available options:
A) The subnet that the instance is launched in must have the “Auto-assign public IPv4 address” set to true.
B) When configuring the instance’s configuration details during the launch, the “Auto-assign Public IP” option is enabled.

Note: to actually receive the IP, the subnet must also be connected to an IGW.

Answer 99

A

Depends on the Load Balancer type:

for Classic Load Balancer: on the LB-level
for other Load Balancers: on the TG-level

Answer 100

A

Used in conjunction with Load Balancers. Defines the targets to which the Load Balancer sends traffic to, which can be any of the following:

Instances
IP addresses
Lambda function
Application Load Balancer

Note: depending on the protocol used by the Target Group, the Target Group is visible when creating a Load Balancer or not. NLB for instance can use only Target Groups where the protocol is TCP/TLS/UDP.

Answer 101

A

For static VPNs

Answer 102

A

They’re attached directly to the VPC (and not to the subnet for instance). It’s a highly available component that is redundant across AZs, so failure of one or more AZs would not impact the IGW.

Answer 103

A

Like NAT Instances, NAT Gateways are created inside a single subnet. If the AZ that the subnet resides in fails, the NAT Gateway won’t be available anymore. To ensure High-Availability, multiple NAT Gateways are therefore required, spread across different AZs, with routes being set up from the different subnets across those multiple NAT Gateways.

Answer 104

A

They’re resilient to AZ failure
They use Prefix Lists
They can be used without any application changes

Answer 105

A

They’re NOT resilient to AZ failure by default, but can be made to by placing multiple interface endpoints into different AZs
They use DNS
They can be used without any application changes, but only if Private DNS is enabled

Answer 106

A

Yes, via AWS Site-to-Site VPN or AWS Direct Connect

Answer 107

A

ENI (Elastic Network Interface) is the default network adapter (Elastic Network Interface) for any EC2 instance and other VPC components such as PrivateLink, providing up to 10 Gbp/s, suited for general purposes.

ENA (Elastic Network Adapter) is an enhanced networking option using single root I/O virtualization (SR-IOV). It provides higher network speed and I/O performance, lower CPU utilization and lower (and consistent) latencies. Available only on supported instance types, enabled by default on Nitro instances. Note: an alternative to ENA is “Intel 82599 VF interface”, which is considerably slower though, but using the same technique (SR-IOV).

EFA (Elastic Fabric Adapter) is ENA with added capabilities. It further improves network speed, I/O performance and latencies. Behind the scenes, EFA uses OS-bypass capabilities, which makes it ideal for High Performance Computing (HPC) and machine learning applications.

https: //docs.aws.amazon.com/vpc/latest/userguide/VPC_ElasticNetworkInterfaces.html
https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html
https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
https: //docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/enhanced-networking.html

Brainscape's Knowledge GenomeTM

Networking Flashcards

Brainscape's Knowledge Genome^TM